How to make Cisco UCS servers roll over and obey: Send a HTTP poke

You will probably want to install this fix

Cisco has patched a vulnerability in its Unified Computing System (UCS) Central Software that could be exploited by miscreants to take remote control of machines.

Switchzilla said that the CVE-2016-1352 flaw in the UCS web framework is considered a "high" security risk as an unauthenticated attacker can execute arbitrary commands on the targeted UCS control server by sending it a specially crafted HTTP request.

Basically, if you can reach Cisco's UCS central software running on a vulnerable box, within a network or from the outside, you can own it. The software is used to manage hundreds if not thousands of Cisco UCS servers at a time in data centers.

"The vulnerability is due to improper input validation by the affected software," Cisco said. "An attacker could exploit this vulnerability by sending a malicious HTTP request to an affected system."

Cisco recommends that users running UCS Central Software versions 1.3(1b) and earlier update in order to obtain the fix. No other products were deemed to be vulnerable to the flaw.

Security researcher Gregory Draperi was credited with discovering and reporting the vulnerability to Cisco.

The Cisco update adds to what already has been a busy week for security patches. Microsoft's scheduled Patch Tuesday release contained 13 bulletins, including a particularly nasty flaw for the Hyper-V virtualization software that would give a software instance access to the host hardware.

At the same time, details on the much-hyped Badlock security hole were released, and many were underwhelmed to learn that the vulnerability was "only" a man-in-the-middle flaw. ®




Biting the hand that feeds IT © 1998–2018